Deep Dive into Consumer Finance
Podcast: Deep Dive into Unsecured Lending
Read Time: 11 minsThe next episode in McGlinchey’s Deep Dive into Lending series takes a close look at unsecured lending with insights from Aaron Kouhoupt (Cleveland) and Adam Maarec (Washington, DC). They discuss innovations in loan applications, underwriting, and customer interactions, and then explore the other side of the equation: what today’s consumers expect from lenders and creditors.
Aaron Kouhoupt: We’d like to welcome you today to our Deep Dive session on Lending, where my partner, Adam Maarec, and I will discuss innovation in the application process, innovation in the way lenders are reviewing consumer information, and how consumers interact with lenders, both mobile and online. Some of this stuff is not overly new. We’re going to talk about it in a way that’s a little bit interesting, especially in light of Section 1033 and open banking and some other areas of consternation right now about where we’re at and how that is all going to play together. So thank you, Adam, for coming along to chat with me about this today.
Adam Maarec: Yes, thank you for having me, Aaron. I’m happy to chat with you and get into the weeds on some of the innovations here that are powering the next wave of FinTech development.
…you’re seeing lenders even outside of the FinTech market start to get involved and catch up, and recognize that, to some extent, brick and mortar and paper applications are rapidly becoming a thing of the past, and there are benefits for both lenders and consumers.
Aaron Kouhoupt: One of the things that’s going to be fun to talk about is that you’re seeing lenders even outside of the FinTech market start to get involved and catch up, and recognize that, to some extent, brick and mortar and paper applications are rapidly becoming a thing of the past, and there are benefits for both lenders and consumers. However, there are also some pitfalls that we’ll try to address as we go through this.
Adam Maarec: You end up seeing that mainstream adoption is happening because these tools are working and they’re valuable in the market in terms of both making customer experiences better, faster, easier, but also improving and expanding underwriting capabilities for lenders so that they can offer credit to more folks and make better, smarter pricing decisions.
Aaron Kouhoupt: Just to level set here real quick, what we’re talking about is, instead of the days of a paper application, or even scanning your pay stubs and faxing or emailing the pay stubs over, or frankly even uploading pay stubs into a portal, what we’re moving to is this integration where there’s more of a real time review of a consumer’s financial situation through different Application Programing Interfaces (APIs), through different methods. When a consumer is on a lender site to apply for any loan, we’ll just use an unsecured loan as an example, they’re asked to essentially connect their other financial accounts, whatever those might be. Could you talk just for a second about that, Adam? For those who don’t know, Adam and I were in-house at banks for a long time. What are your thoughts on that process, where consumers are connecting their accounts directly with their lender, especially if the lender is not the account-holding entity?
…instead of the days of a paper application, or even scanning your pay stubs and faxing or emailing the pay stubs over, or even uploading pay stubs into a portal, what we’re moving to is this integration where there’s more of a real time review of a consumer’s financial situation through different APIs.
Adam Maarec: What we’re really talking about here is cash flow underwriting. And so, if we back up a little bit, you were talking about the historical ways of assessing a credit application. One of the main ways we still evaluate a consumer’s creditworthiness is through their credit reports. If you think about a credit report, it’s a mile wide and an inch deep, telling you about all your different liabilities and your customers’ payment history and patterns, and you hope that that has predictive value. And it does. However, the innovation that we’re starting to see pick up here is to go a mile deep into a customer’s deposit account and examine their transaction and cash flow history to see how they’re managing money. What are their balances? Are they going negative? Consumers could share that information by scanning a paper copy of a deposit statement. However, what they’re doing today is connecting and providing real-time feeds of that data directly from their deposit-holding account to the lender. And so, the lender, in conjunction with a credit report, could examine this detailed, live picture of the customer’s situation and use that to inform their underwriting.
Aaron Kouhoupt: And if you take my lawyer hat off and put my business hat on for a second, the friction that is involved is so much lower, too, right? It’s faster for the consumer to be able to access their documents in a particular spot than to log onto your workday account, find your pay stubs, download, save, and upload them, right? This becomes faster; not only is it more accurate, it shows the consumers a little bit more accurately, but it’s also just a better customer experience to be able to make that connection and then let them see everything. One of the things I think you’re also seeing is that there are fraud benefits as well.
One of the main ways we still evaluate a consumer’s creditworthiness is through their credit reports. If you think about a credit report, it’s a mile wide and an inch deep, telling you about all your different liabilities and your customers’ payment history and patterns, and you hope that that has predictive value.
Let’s back up for a second, because I touched on this and didn’t talk about it as much as we can, and we don’t have time to talk about it a lot, to catch up on open banking and payments in greater depth. But there are multiple different ways; sometimes you’ll see an API where you enter your credentials. You are essentially logging into your account. You are sharing, you are affirmatively agreeing and consenting to share that data in a limited context. You usually have some control to go through and say, ‘share X, Y, Z from account A,’ as part of that integration. You go through, and you are essentially accessing your own information as a consumer, and then sharing it with the bank via the API. There are other instances where it can kind of go in and do some screen scraping, where the lender is going in and doing that. And then there’s all the open banking/1033 concepts that I know, Adam, you’ve written about and talked about a lot, that are designed to bring some consistency to that. What are your thoughts on the various methodologies in terms of the current status quo, where we stand now, and where they could be under a 1033 regime?
Adam Maarec: Yes, we could have a whole hour-long podcast discussing this, but it’s sufficient to say for right now that the market has come a long way in terms of developing more secure ways of sharing this information, you mentioned APIs, versus screen scraping, which is where a third party, usually a data aggregator, will take the customer’s username and password, store the customer’s bank username and password, and log into the website or mobile app on their behalf to extract all the necessary data they need. That’s risky for several reasons, and that’s in part why the Consumer Financial Protection Bureau (CFPB) proposed and finalized rules last year under Section 1033 of the Dodd-Frank Act to regulate this space and encourage, and ultimately require, most banks above a certain asset size to develop more secure data-sharing methods.
…the innovation that we’re starting to see take off here is to delve a mile deep into a customer’s deposit account and examine their transaction and cash flow history to understand how they manage their finances. What are their balances? Are they going negative?
And so APIs are much better from both a security and data quality perspective. They do present some challenges, where connections can break periodically. And yes, it is better and easier, I would think, in most situations, for a customer to grant access to their deposit account, for a lender to verify income by looking at regular income payments that appear on the deposit account ledger. That’s probably easier than uploading paper statements, but it still takes some friction and effort on behalf of the consumer. Here, we are talking about lending and loan applications and decisions. But, there’s also a need for a lender to continue accessing this data on an ongoing basis – maybe you want to link an account for payments, and when the customer goes to make a payment, you want to tell them, “Oh, this is your available balance in your linked deposit account – yes, you are ready to make a payment, or no, your balance is not sufficient for your upcoming payment, you’d better take action, or else you’ll be late, or you could have a returned payment.”
…what they’re doing today is connecting and providing real-time feeds of that data directly from their deposit-holding account to the lender. And so, the lender, in conjunction with a credit report, could examine this detailed, live picture of the customer’s situation and use it to inform their underwriting.
Having those ongoing connections is great and valuable, but they also come with their challenges. And so, the CFPB’s rules created an entire infrastructure around how to do this. They’re being challenged in court right now, and the CFPB has stated that it intends to reopen and revise those rules. So the industry is scratching its head, trying to figure out what those revised rules will look like. But open banking and consumer permissioned access to data are here. It has developed organically over the last 20 years without rules, and it’ll continue to grow because there’s value from both the consumer’s and the lender’s perspectives.
Aaron Kouhoupt: Yeah, thanks. As you said, we could talk for an hour and probably more, it’s really fascinating right now. One of the things that is important is that the regulators have consistently come out and said, “Look, we support this, we support these different ways, but the underlying regulations still apply. Even if you’re using an API, even if you’re using AI, even if you’re using a black box, whatever it is that you’re doing, however creative you want to get within your underwriting, what is key is that you still need to be able to comply.”
A great example is Regulation B – the need to provide an adverse action notice if you decline the credit. That adverse action notice must give specific reasons why someone was declined. It can’t just say “you don’t meet our credit policy.” The regulators came out and said, “Look, you know, this is fine, if we’re getting lower fraud results, if we’re getting better sort of underwriting and quality of loans, that’s all good and fine. However, at some point, you will need to be able to extract from that the reasons why the consumer was denied credit.” I want to say that the quote went something like, “the fact that you can’t pull it out of the black box doesn’t give you an excuse to violate Reg B. You still have to be able to come up with those reasons.” And that’s true with consents and disclosures. We see that all the time, and we answer questions a lot about it. For example, “We are moving our loan application to mobile only.” And so, how are you getting the required Fair Credit Reporting Act consents? How are you providing the adverse action notice electronically? Making sure that you have proper e-sign consent, making sure that the technology that you’re using, that you’ve tested it, right?
A notable example is Regulation B – the need to provide an adverse action notice if you decline the credit. That adverse action notice must give specific reasons why someone has declined. It can’t just say that you don’t meet our credit policy.
I remember one situation in-house where everything looked beautiful. We go to test it at the end of the day, and the process flow looks great, but it was developed on an iPad. It was developed on a 13-inch iPad and looked great, but when you pulled it up on a 9-inch phone, all of a sudden, everything was off, consents weren’t clear, and the conspicuousness, right? As you’re using the technology and you’re building the consumers’ ability to interact with you in that format, remember that you still must comply with all underlying regulations. And you still have to think about clear and conspicuous disclosures, and what that all means. It’s important, because I think sometimes it’s easy, right? I’ve got all the information, it’s all happened, it was smooth, it was quick, it was 45 seconds, we have a decision, okay? But you still have to comply, and you still need to worry about the Gramm-Leach-Bliley Act (GLBA).
You and I, Adam, have had a couple of conversations about data sharing and how data sharing works, and the fact that nothing about open banking or 1033 impacts your obligations under the Gramm-Leach-Bliley Act and who you’re allowed to share information with. And usually, you’re using consumer consent. That’s what the consumer is saying, is “I agree that you can share my information with A, B, and C,” but it’s important to ensure that you have that nailed down and are thinking about it as you move through these things, because they haven’t gone away. Those rules haven’t been updated or repealed. They still are there.
Adam Maarec: Yep. And the 1033 rulemaking was really crafty this way. And those rules are designed to overlap and play nicely with all the other existing laws and regulations on the books. And so they’re incremental obligations. But you’re absolutely right that you have to be thinking about your approach to GLBA and FCRA and Reg B and all these other laws and regulations as they apply to new innovation, right? We want our regulatory infrastructure and regulations to be tech-neutral, so that innovation can happen freely, and you want these rules to be written in a way that enables them to adapt to these new innovations. It’s really incumbent on us regulatory lawyers and our friends in-house to find these tough applications of new technology and figure out how old laws will apply to the new technology. That’s the challenge for the day. And we’ll see if the CFPB’s revised rulemaking on 1033 helps move the ball forward and resolve some of the ambiguities that are out there. If not, it’s largely up to the industry to figure out how to move forward.
As you’re using the technology and you’re building the consumers’ ability to interact with you in that format, remember that you still must comply with all underlying regulations. And you still have to think about clear and conspicuous disclosures, and what that all means.
Aaron Kouhoupt: Yes, and you and I have presented on this topic a couple of times. In each of those presentations, we’ve discussed the need to, even without 1033, look at some of the 1033 concepts as best practices moving forward. Maybe in particular around consents and how you’re getting consent depending on how sensitive the information is that you’re getting from the consumer and what that looks like and making sure that a consumer understands, “when I integrate this, this is what that means and this is what I’m sharing and this is how that data’s going to be utilized.” I think that becomes really important from a GLBA perspective. And it’s clear from some of the 1033 rulemaking that that’s where a lot of the focus was, on consumer understanding. The consent requirements from 1033 were very clearly meant to say, “This is all fine and good, but the consumer should understand what it is they’re agreeing to when they grant you access to sensitive data like their bank account information.”
So it’s wise to be thinking about those things now while we wait and see what happens with 1033. But yeah, to sum this up, at the end of the day, it’s good, it’s fun, it’s good for both the business and for the consumer to have these different ways to interact with their lender and also to have more ability to underwrite on a consumer’s actual ability to repay, not based on a snapshot in time that might be 45 to 60 days old in a credit reporting cycle and not reflective of the consumer’s actual ability to repay. Really, it has benefits in all different directions to have this kind of real-time access. Remember to keep your disclosures clear, ensuring that consumers understand what’s happening. And remember that all the old regulations apply; those are the keys here. And then we’ll all sit back and watch the unfolding drama that is 1033 and the rulemaking there and see what happens.
But you’re absolutely right that you have to be thinking about your approach to GLBA and FCRA and Reg B and all these other laws and regulations as they apply to new innovation, right? We want our regulatory infrastructure and regulations to be tech-neutral, so that innovation can happen freely, and you want these rules to be written in a way that enables them to adapt to these new innovations.
Adam Maarec: This has been a great discussion, and I can’t believe we’ve made it a whole roughly 15 minutes without talking about AI at all. However, this data that we’re talking about – we’re really at the precipice where increased access to consumer permissioned data is going to power lots of models and lots of innovation downstream. I’m really excited about what’s to come.
Aaron Kouhoupt: I like that you said that, because you reminded me that I was a minute away from breaking my own rule of not doing a single Deep Dive without talking about Unfair and Deceptive Acts and Practices (UDAP) for two seconds. You know, UDAP hangs all over this; UDAP, in particular, hangs over this situation. It is because of what I said earlier. It’s that idea of the consumer understanding what’s happening with their data. This is where you have some UDAP overlay, but you almost got me not to mention UDAP; but, that little reminder got me there.
So I appreciate you taking the time, Adam. As always, we have a couple of other sessions coming up over the next few weeks, talking about different types of lending, including unsecured lending and auto lending. We’re going to discuss student loans and what’s happening in that area. So, lots more fun stuff is coming over the next few weeks.
Adam Maarec: Thanks, Aaron.
Subscribe wherever you listen to podcasts:
© Copyright 2025 McGlinchey Stafford PLLC. This communication is published by the law firm McGlinchey Stafford and may be considered attorney advertising under the ethical rules of certain jurisdictions. It is not intended to provide legal advice or opinion. Such advice may only be given when related to specific fact situations that McGlinchey Stafford has accepted an engagement as counsel to address. No representation is made that the quality of legal services to be performed is greater than the quality of legal services performed by other attorneys. For further information, please see our Disclaimer and Privacy Policy.